If Titan Security Key sounds familiar to you, that’s because Google made it available to Google Cloud users last month. But the security dongle is available right now to anyone who thinks they need stronger protection for their Google accounts and other online properties.
In a blog post on the Google Cloud blog, Google explains that the Titan keys are built on the FIDO standards and that the devices are designed to prevent hacks from manufacturing through actual use. Google makes a point to explain that the firmware in charge of the crypto operations can’t be hacked before the product ships to consumers:
The firmware performing the cryptographic operations has been engineered by Google with security in mind. This firmware is sealed permanently into a secure element hardware chip at production time in the chip production factory. The secure element hardware chip that we use is designed to resist physical attacks aimed at extracting firmware and secret key material.
These permanently-sealed secure element hardware chips are then delivered to the manufacturing line which makes the physical security key device. Thus, the trust in Titan Security Key is anchored in the sealed chip as opposed to any other later step which takes place during device manufacturing.
Also, Google says that it has been working with Yubico and NXP to develop security keys to be used inside Google. Since it began requiring security keys as a second factor for employees, Google had no reported or confirmed account takeovers following phishing attacks.
If you’re a potential target for hackers — a politician, business leader, journalist, or activist — Google’s Titan key might be for you. Also, check out Google’s Advanced Protection Program. But even if you’re not likely to be the target of hacks, and you’re tech-savvy enough to avoid phishing scams, you should still consider the service. Titan Security Keys also works with Dropbox, Facebook, GitHub, Salesforce, Stripe, Twitter, and other services that support FIDO standards.